Primary

Context

Tutor LMS Pro Insecure Direct Object Reference Vulnerability Allowing Assignment Manipulation

Vulnerability

A vulnerability exists in the Tutor LMS Pro WordPress plugin, specifically in versions through 3.8.3. This issue is an Insecure Direct Object Reference (IDOR) that arises from inadequate validation of user-controlled keys in the tutor_assignment_submit() function. As a result, authenticated attackers with Subscriber-level access or higher can access and modify assignment submissions of other students.

Impact

Exploitation of this vulnerability allows for unauthorized viewing and editing of assignment submissions belonging to other students.

Remediation

Users can update to Tutor LMS Pro version 3.9.0 or later, where this vulnerability has been patched.

Added: Oct 25, 2025, 6:23 AM

Updated: Oct 25, 2025, 6:23 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

4.8

remediation

7.7

relevance

0.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

4.8

remediation

7.7

relevance

0.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tutor LMS Pro Insecure Direct Object Reference Vulnerability Allowing Assignment Manipulation

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating